FORUM: Managing reputational risk

FW moderates a discussion on managing reputational risk between Harlan Loeb at Edelman, David Imison at Schillings, Michael J. O’Leary at EY, and Tracy Knippenburg Gillis at Marsh Risk Consulting.

FW: How can companies measure and quantify their reputational risk? What are the key determinants?

Imison: When it comes to measuring or quantifying reputation risks there are two distinct event types to consider – ‘direct’ risks and ‘consequential’ risks. Direct risks occur because a third party has decided they want to damage your reputation and they will often rely on various underhand means to do so. The bad news about this type of reputation risk is that it can be quite hard to predict or measure. The good news, however, is that a combination of monitoring technology and open source intelligence gathering can help you spot the issue early on and analyse the parties behind it. After that there are various legal options at your disposal to address the perpetrators. The second type of risk is what we would call a consequential risk, where your reputation is being harmed as a result of something you or your company has or hasn’t done. The good news about this type of risk is that it is much easier to forecast. The challenge though is that enterprise risk management isn’t very good at dealing with the subtleties of reputation. A reputation impact assessment (RIA) can help companies properly identify potential reputation risk events and measure their potential impact across multiple stakeholder groups.

O’Leary: Reputational risk can vary based on your organisation’s industry, geographic footprint and operating model. In addition, you need to think about reputational risk in terms of your business strategy and risk appetite. In the last few years, organisations across sectors have adopted digital platforms to stay connected with their customers as well as create additional sales and marketing channels. This technology shift has increased companies’ risk exposure. Businesses penetrating emerging markets take on some level of reputational risk. Many struggle working with third party distribution channels to maintain the same levels of quality associated with their brand. Typical factors to consider when measuring reputational risk include the potential financial and strategic impact on the organisation, the velocity at which the risk can permeate, and the impact the increasingly digital and social media landscape can have in cascading the issue. Companies need to consider these factors when thinking about the potential reputational risks they could incur while executing their business strategy.

Gillis: Reputational risk is hard to measure. This is no surprise since it represents a mix of tangible and intangible values as well as probable and uncertain reactions and outcomes. Existing measures and tools tend to view reputational risk through a singular lens – financial metrics or media reactions, for example. We believe reputational risk is inherent in all the risks an organisation faces, and in fact should be considered an outcome rather than viewed as a risk at all. To ‘measure’ reputational risk, start by determining how reputation is valued internally. Quite simply, that is the value of what is at ‘risk’. Then identify, measure and mitigate those risks that can threaten reputation. Key determinants of reputational damage are the risk or event itself, the value of the risk impacts, contextual factors, likely consequences and then the organisation’s ability to respond effectively. The strength of the organisation’s reputation and goodwill among stakeholders will affect the reaction, and may reduce or amplify reputational damage. A poor response can cause more damage than the event itself.

Loeb: In its simplest terms, reputational risk is the gap between corporate performance and stakeholder expectations. While expectations can be measured quantitatively against performance, the impact of reputational risk is qualitative and unique to industry sectors, as well as the idiosyncrasies of the particular company. As an example, let’s use sub-par customer service. The reputational risks for British Airways are less consequential than they are for Wal-Mart as consumer choice is far more elastic for a price driven retailer than it is for an airline.

We believe reputational risk is inherent in all the risks an organisation faces, and in fact should be considered an outcome rather than viewed as a risk at all.

— Tracy Knippenburg Gillis

FW: With reputational risk cited as a number one concern by board members, what advice can you offer on ways to reduce the reputational risk they face? How should they manage expectations?

Gillis: Boards should ensure an effective enterprise risk management program is in place, so they have confidence the organisation is taking a broad view of risks and can monitor progress on the management of the company and its risks, reputation and response preparedness. Recognising what is of greatest value to the organisation is a good first step to effectively managing reputational risk – from a high margin and revenue producing product, to key markets or unique, leading brand positioning. Risk mitigation efforts will vary depending on the organisation’s value chain, but typically include regular risk assessments that address both risks and potential reputational impacts, robust risk management activities, active brand management, a risk awareness culture and maintenance of response, resiliency and related preparedness capabilities. An organisation’s reputation is never at greater risk than when facing an adverse event or crisis, so organisational preparedness is critical. Boards must fully understand the status of defined and disciplined response capabilities, including within the C-suite.

O’Leary: Organisations need to take a proactive approach in fully assessing internal and external reputational risks relevant to their business and industry. They need to be thinking about the reputational risks associated with every business decision, assessing the potential risks and determining how to best limit the negative impact if a risk event occurs. Monitoring social and digital media outlets is becoming an increasingly vital step for organisations to consider, along with having plans in place to address risk events. Identifying, assessing and developing response plans is one way to manage expectations and be prepared should a risk event occur.

Loeb: Reducing reputational risk is a leadership exercise, horizontally and vertically, that begins with a cross functional team mapping and prioritising risk. With this matrix in place, companies can benchmark the existing gaps in performance on priority risks and begin the process of developing a corrective action plan on each risk with specificity, metrics and ongoing tracking.

Imison: First, you need to understand and measure your reputation risk exposure and second you need to take steps to manage the risks. In practice though, many organisations still see this as being something of a black art. In order to understand and measure reputational risk, boards need to ensure that they have delegated responsibility appropriately. The general council, corporate affairs director or chief risk officer need to have the right tools in place to forecast and report upwards on reputation risks. Existing enterprise risk management approaches typically need to be enhanced in order to do this. Once the board has proper oversight of the full range of reputation risks, as well as risk indicators that help them track exposure over time, board level ownership can be assigned and actions taken to reduce the reputational risk exposure. To make sure this is a repeatable process that actually helps protect the organisation’s reputation, it is important to make sure the assessment and management of risks is part of the overall system of corporate governance. Leading organisations are doing this in a variety of ways, in the financial services sector, for example, this tends to mean the appointment of a reputation risk manager, who is a subject matter expert responsible for developing reputation risk assessment processes and coordinating input from different individuals across the organisation.

FW: In your opinion, should only companies of a certain type and size be concerned about reputational risk?

O’Leary:As the global business environment continues to expand in complexity, we believe virtually all organisations should recognise the importance of being prepared to monitor and address reputational risks. In the past, some organisations have not recognised how critical this can be – particularly with the rapid pace at which information moves in the digital age. Technology and globalisation necessitates organisations at a minimum consider reputational risk when evaluating their risk landscape. When a risk event does occur, they will need to be able to respond much more quickly than ever before to reduce the impact to the organisation.

Imison: We recently surveyed a group of leading equity analysts, pension fund managers and private equity houses on this topic and the message that came back was clear: when considering a company’s reputation there is no such thing as a low risk sector or company. However, when it comes to size, there is a difference in focus. Our research has shown that for the smaller organisations, the key determinant of reputational risk is the individuals that run the business. It is important, therefore, that organisations of all sizes take appropriate steps to protect the privacy and reputation of their management team. Although reputation risk is of equal concern to all organisations, clearly the manner in which they address it will be dependent on the size and scale of the organisation and the resources at their disposal.

Loeb: Reputational risk is size and category agnostic. Smaller business-to-business companies, for example, can be dramatically impacted by single reputational risk. Recently, a beef processor in the US lost almost 75 percent of its value because of an online campaign filled with inaccurate information. The moment the social conversation went viral nearly all of the customers pulled their business, not because of any concern over quality but because the reputational risk was simply too high.

Gillis: No organisation is immune to reputational risk. Every organisation can face adverse events with financial, operational and reputational impacts. It is important to realise that reputational risk can result from physical or non-physical events. Interestingly, reputational damage can occur based on perception, relationships and the conduct of individuals. Every organisation, large and small, has a range of risks, key stakeholders and relationships, and expectations for performance and standards. That said, organisations can and should manage their activities in a manner that is proportionate to their size, scope and risks. Every organisation needs good, effective management, strong policies and governance, and appropriate levels of response readiness. Without the ability to respond if bad things do happen, the organisation is likely to suffer potentially severe reputational damage.

As the global business environment continues to expand in complexity, we believe virtually all organisations should recognise the importance of being prepared to monitor and address reputational risks.

Loeb: Companies should adopt the mindset that every operational risk has an inchoate reputational risk embedded at its core. Perhaps like no other enterprise function, when a reputational risk that resides in operations is activated, the results are typically the most consequential. This is particularly true when the operational risk relates to the core competency of the company in the marketplace. General Motors, Sony and JP Morgan Chase’s trading losses are all prime examples of this.

Gillis: If we view reputational risk as the outcome of other risks already within the organisation’s risk universe, the alignment of reputational risk management strategies with operational realities becomes much easier. Risk assessment and management tools should be used for traditional, physical risks such as workplace accidents, natural disasters and fires, as well as other operational risks such as cyber risk, data breaches and product recalls. However, it is important to include both reputational risk specific elements and a broader recognition of event impacts in these assessments, which often is left out. The use of facilitated planning and scenarios to consider potential reputational as well as operational impacts can be a powerful method of evaluating both an organisation’s range of risks and response requirements. The past is a great teacher; so much can be learned from others who have experienced adverse events resulting in reputational damage. However, new dynamics, such as heightened public expectations, social media and increasing consumer activism, reinforce the need to continually evolve your organisational resiliency and preparedness efforts.

Imison: Organisations can align their reputational risk management strategies with the company’s operations by plugging into existing information flows and governance structures. Data is created, processed, stored and communicated across the business. This data contains a wealth of information about reputation risk. One of the key elements of effective reputation risk management is being able to identify the key sources of data and knitting these together. By tapping into existing information flows from other functions it is possible to create an aggregate picture of reputation risk across the organisation. With regard to existing governance structures, some organisations are large or complex enough to warrant a separate reputation risk management committee. Most organisations should use their existing corporate governance structures to give top management oversight of reputation risks. Examples we have seen recently include adding a reputation risk management audit to the schedule of internal audits, so that the information is escalated to the risk or audit committee, and establishing reputation as an item reserved for the ethics committee.

FW: How effective can reputation insurance be in managing risk? What general levels of protection and coverage are available?

Imison: Insuring risks to intangibles is becoming more and more important in today’s commercial context. From an insurance point of view, so much more emphasis is now placed on where value resides in the organisation. Clients are not just interested in physical damage to bricks and mortar; they are also concerned with non-physical damage to intangible items like data, intellectual property and reputation. Fundamentally, risk managers should now be asking in their risk assessments, what could cause a reputation event, and if it happened, what would be the ramifications to our business? For example, a hotel franchise may be concerned with a number of reputation damaging events such as valet parking disasters, loss of sensitive customer data or food poisoning. These risks may occur at one location, at multiple locations or indeed to a key hotel supplier but could all lead to the sort of social media contagion that might affect key metrics, such as revenue per available room or simply a reduction in daily occupancy. Insurance is not, by any means, a panacea to this problem, but for residual reputation risks that cannot be eliminated, it is possible to indemnify yourself against loss of sales volume, increased operating costs or increased public relations or legal expenses. The market in this area is still nascent, but there are insurers out there who offer innovative customer solutions. The key to reputation risk transfer is to be able to create the causal link between what can cause a reputation event and what financial impact it could have. Again, this all comes back to having the right tools in house to deliver the reputation risk assessment.

Gillis: There are many insurance solutions, but building the best cover requires some creativity. Reputational risk insurance products, in particular, are evolving in an attempt to provide a needed solution. However, the challenge remains how to measure the risk, quantify actual damages and provide a transfer solution that will be both cost-effective and provide meaningful support. Existing insurance products for reputational risk tend to provide specified services – for example, public relations or advertising – rather than a more flexible means to manage the underlying event plus support the response needed to manage the situation and address broader and longer-term impacts and consequences. Insurance will never make the risk go away. In this light, the best ‘insurance’ an organisation can have is a robust, well-integrated and well-practiced crisis management response capability. The goal is to respond swiftly and effectively, such that the situation is resolved promptly and reputational impacts are minimised.

Loeb: Hedging risk with insurance works well in arenas in which the actuarial science is relatively strong and the risk can be remedied financially. Reputation is unique to every holder and as much as BP, Lance Armstrong, Arthur Anderson, Brian Williams and many others would benefit greatly from the capacity to buy their reputations back, it’s simply not possible.

Given the volume of information flooding across social media at any moment in time, most organisations have acquired third party media monitoring technology.

— David Imison

FW: Given that social media can have a major impact on perceptions of a company’s reputation, what strategies can companies utilise to negate negative publicity through these channels?

Gillis: Whether your organisation has a formal communications function or actively participates on social networks, social media cannot be ignored. In fact, it could be what propels you into a crisis. Recognise this risk and consider in advance how you will manage social media as part of your broader crisis management strategy and program. Establish clear frameworks and tactics to identify, monitor, measure and manage social media risks. Social media can be a vital early warning system for bigger issues looming on the horizon. The sooner you see a problem coming, the better positioned you can be to manage and resolve it quickly and effectively. Further, a social media policy is no longer a ‘nice to have’. Like with other crisis communications efforts, develop in advance basic strategies for monitoring social media during crisis events, incorporate social media into your broader crisis communications plans, and be prepared to adjust your response accordingly. And keep in mind that sometimes no response can be the best approach.

O’Leary: Leveraging monitoring technology is becoming increasingly vital. Companies need to be aware of negative publicity so they can proactively address it, but they also need to be aware of positive publicity so they can take advantage of it. Companies need to be thinking about not only managing the negative impact and maintaining their brand, but leveraging positive publicity especially when it originates from stakeholders external to the organisation. Additionally, it is important that companies have proactive protocols and policies around social media for employees, vendors and other key stakeholders.

Loeb: The first line of defence is integrated social media monitoring. When set up in advance, this monitoring provides an understanding of overall corporate perception. It allows companies to adjust rapidly to conversational trends. Setting up an effective conversation monitoring program starts with a deep understanding of the business – the industry, key executives, the countries and languages in which business is conducted, and the competition. Teams should focus on three key areas when getting started. The first is search audits. Start by grasping the language of your target audiences, especially how they search for information online. This delivers a glimpse into consumer behaviour and provides a full set of keywords that are used actively and associate with your organisation. The second area is conversation audits. Identify the keywords to form a taxonomy that can be entered into an analysis tool to monitor online conversations as they happen and help gauge interest in the organisation online. This will help companies understand language, opinions, industry trends, the key channels on which people engage as well as preferences that may prove important to an organisation’s content and messaging. The third area is influencer analysis. Identifying the important personalities and organisations in the industry can prove valuable as they serve as key opinion makers that help shape consumer opinions and amplify messaging. Research and identification can help prepare companies to expand their influencer communities, what they care about and how they engage online and offline.

Imison: Given the volume of information flooding across social media at any moment in time, most organisations have acquired third party media monitoring technology. In our experience, social media monitoring tools are usually good for analysing high volume events. So, for example, they are useful for tracking sentiment around a particular PR campaign or for identifying trends around a particular issue. What they tend to be less good at is picking up evolving reputation problems early on in the lifecycle and getting them quickly to the right person. We believe social media monitoring can be used as an open source intelligence (OSINT) platform in order to manage negative publicity before it gains traction.

While reputational risk has escalated dramatically over the last decade, it has been understudied in practical terms. But that is changing.

— Harlan Loeb

FW: How do you see reputational risk management strategies developing and evolving in the years ahead?

O’Leary: As we look ahead, more advanced technologies will aid companies in monitoring and mitigating reputational risk. This will be important as the sophistication of cyber risk and other factors also evolves. At the same time, we believe the complexity of issues to consider will become broader as the global business environment and emergence of developing markets grows. Companies need to be thinking about how they not only incorporate reputational risk in what they do today, but what they can do to proactively anticipate risk down the road.

Imison: Risk management strategies will likely be driven forward by a new breed of non-executive directors (NEDs), as an aspect of good corporate governance.NEDs are nowadays expected not only to understand the detailed mechanics of the organisations they advise, but also to have specific risk management skills. The NEDs are there to hold the executive team to account on behalf of the company’s shareholders. We believe that in order to do this properly they should have adequate oversight of the company’s reputation risks – the output of the RIA – and should expect the executives to take carriage of the management strategy to deal with these risks. We believe the NEDs will have a key role in seeking assurance that these reputation strategies are fit for purpose and protect the interests of shareholders, employees and partners. We also believe that risk management strategies will apply the principles of big data that are already being used by so many business intelligence functions.A key element of reputation risk management is being able to understand what information your organisation creates, how it creates that information and who it communicates it to. Whether it is a whistleblower, a regulators report, a newspaper article or a bad tweet, information is the creator and the destroyer of reputation. It is important to know what information is private and confidential, to identify what could cause that information to become public and to put appropriate controls in place to manage it. It is also important to know where to look for information to give you a heads up on evolving risks.

Gillis: Reputational risk strategies must continue to evolve based on two accelerating trends: environmental complexity and velocity. The global environment within which organisations operate continues to become increasingly interwoven and complex, which makes managing your organisation and reputational risk challenging and complex. Further, risks are arising more quickly than ever before. Much has been written about the agile enterprise. One area where agility is critical is the organisation’s ability to rapidly respond based on a ‘360-degree view’. The ability to anticipate and respond effectively, and then learn from events, is essential to building organisational resilience. This must become part of the business DNA from the C-suite and board level down throughout the enterprise. External expectations for how organisations should operate and respond continue to increase, with no signs of relief. Organisational preparedness, and reputational risk management strategies, driven from the highest levels of the organisation are necessary. Oversight, effective governance and controls and effective enterprise risk management are all key, and must be continually evaluated and evolved to meet new and emerging demands.

Loeb: While reputational risk has escalated dramatically over the last decade, it has been understudied in practical terms. But that is changing. With a growing number of reputational risk officers populating companies all over the world, particularly in the banking industry, there is a companion need for increasing rigor on metrics as well as tools and processes. Most important is a fundamental pivot in mindset – reputational risk management is capability and not a function. As much as companies demur to function to solve problems, reputation is fluid and dynamic and managing the risks well is much like a political campaign, which requires developing the muscle memory and heuristics that facilitate immediate action.

David Imison is Director of Risk Consulting at Schillings. A risk specialist with extensive experience in defending reputations and improving business performance, Mr Imison helps businesses to identify and manage reputational threats before they become news. Utilising governance, risk and compliance approaches, he coordinates reputation management activities to better protect clients from unwanted scrutiny. He can be contacted on +44 (0)207 034 9000 or by email: david.imison@schillings.co.uk.

Mike J. O’Leary graduated from Canisius College in 1995 and is a CPA. Currently, he is a partner based in Chicago and the Global Internal Audit leader at EY, where he is responsible for practice management, client service, innovation and growth for a global practice of approximately 4800 professionals. He is also a member of the firm’s global advisory executive committee. He can be contacted on +1 (312) 879 4605 or by email: michael.oleary@ey.com.

Tracy Knippenburg Gillis leads MRC’s global practice focused on reputational risk, corporate preparedness and real-time response. With more than 25 years’ experience working with clients across all industries, she provides tailored and integrated solutions to strategically manage risks and protect organisations from the effects of crisis situations, reputational risks and other adverse events. Ms Knippenburg Gillis is a renowned thought leader and author on corporate preparedness and is frequently published on the topic. She can be contacted on +1 (212) 345 3886 or by email: tracy.knippenburggillis@marsh.com.